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Abstract. Conjugacy is not the only possible primitive for designing braid- 
based protocols. To illustrate this principle, we describe a Fiat-Shamir-style 
authentication protocol that be can be implemented using any binary operation 
that satisfies the left self-distributive law. Conjugation is an example of such an 
operation, but there are other examples, in particular the shifted conjugation 
on Artin's braid group -Boo, and the finite Laver tables. In both cases, the 
underlying structures have a high combinatorial complexity, and they lead to 
difficult problems. 



Most of the braid-based cryptographic schemes proposed so far [fl 1181 13] rely 
on the supposed complexity of the conjugation operation in Artin's braid groups. 
In this note, we would like to stress the fact that conjugation is by far not the only 
possible primitive operation for designing braid-based protocols. 

To illustrate this general idea on a concrete example, we shall discuss an au- 
thentication scheme directly reminiscent of the Fiat-Shamir scheme, and a variant 
of some scheme considered in |20j in the case of braids. We show that such a 
scheme can be implemented naturally in every algebraic system that involves a 
binary operation that satisfies the algebraic law x(yz) = (xy)(xz), called (left) self- 
distributivity. Conjugation on any group is an example of such an operation, but 
there are other examples, in particular the operation that we call shifted conjuga- 
tion on Artin's braid group -Boo- There are reasons to think that sfifted conjuga- 
tion is (much) more complicated than standard conjugation, and it could provide 
a promising alternative primitive for braid-based cryptography. 

We also mention the Laver tables, which provide other examples of self-distribu- 
tive operations, this time on a finite underlying domain of size 2™. Again, these 
combinatorially very complex structures could provide a valuable platform. 

1. A Fiat Shamir-like authentication scheme 

Here we start with the general principle of the Fiat-Shamir authentication 
scheme, and show that, under rather natural hypotheses, it can be implemented in 
any algebraic system involving a self-distributive binary operation. 

1.1. The general principle. Let us start with an arbitrary set S, and try 

to construct an authentication scheme using the elements of S. To this end, we 
assume that a function F s of S into itself is attached to each element of S and that 
there exist efficiently sampleable distributions on S such that, provided s and p 
are chosen according to them, the probability that s can be retrieved from the pair 
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(p, F s (p)) in feasible running time is negligible. Under such hypotheses, we can use 
s as a private key, and (p, F s (p)) as a public key. 

A natural idea for designing an authentication scheme is to let the prover ap- 
peal to a second, auxiliary (random) key r, and use F r (s) as a disguised version 
of s. What we need for a Fiat-Shamir- like authentication scheme is a commit- 
ment of the verifier guaranteeing that r is fixed, and an equality witnessing that 
F r (s) is connected in some way to s, via the commitment of the prover. As the 
elements p and F s (p) are public, it is natural to use F r {p) and/or F r (F s (p)) as the 
commitment(s) of the prover. Indeed, the assumption that x cannot be retrieved 
from {y, F x {y)) 1 which is already needed for (p,F s (p)), automatically guarantees 
that r cannot be retrieved from the commitments of the prover. 

Then what we need is some equality connecting x — F r (j>) , y — F r (F s (p)), and 
s — in a way that heavily involves s, i.e., in such a way that the probability for 
another s to give rise to the same equality is negligible. A simple, but very partic- 
ular, solution is to require that F s and F r commute: in this case, the connection 
between x and y is just y = F s (x). This situation is essentially that considered 
in |21L II 8j . and it is not suitable in the current framework as the verifier would 
have to know the secret s. 

A more general and flexible solution is to require that F r (F s (p)) be connected 
to F r (p) and s by some relation of the form F r (F s (p)) = G ryS (F r (p)) for some new 
function G r , s - A not so special case is when G r , s is itself of the form -F^r.s) where 
g is some mapping of S X S into S: considering such a case is natural, because it 
avoids introducing a new family of functions and it enables one to work with the 
functions (F s ) s ^s solely. For the same reason, it is natural to consider the case 
when <?(r, s) is defined in terms of the F-functions, typically g(r, s) — F r (s). This 
leads to requiring that the functions F s satisfy the condition 

(1-1) F r (F s (p)) = F Fr(s) (F r (p)), 

and to use this equality for proving authentication. 

1.2. An authentication scheme. The previous analysis leads to considering 
the following authentication scheme. 

We assume that S is a set and (F s ) s ^s is a family of functions of S to itself that 
satisfies Condition qi.ip . Then the public keys are a pair (p,p') of elements of S 
satisfying p' — F s (p), while s is Alice's private key. The authentication procedure 
consists in repeating k times the following three exchanges: 



A chooses r in S, and sends the commitments x = F r (p) and 
x' = F r (p'); 

B chooses a random bit c and sends it to A; 

For c = 0, A sends y = r, and B checks x = F y (p) and x 1 = 

Fyip'); 

For c = 1, A sends y = F r (s), and B checks x' = F y (x). 

The correctness of the scheme directly follows from Condition Hl.lfl • Its security 
relies on the following assumptions: 

(i) It is impossible to retrieve s from the pair (p,F s (p)), and, more generally, 
it is impossible to find J satisfying F s (p) — F^^p); similar assertions hold for the 
pairs (p,F r (p)), (p',F r (p')), and (F r (p), F r (p')); 
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(m) It is impossible to deduce s from F r (s) when r is unknown. 

1.3. Self-distributive operations. Specifying an ^-indexed family of map- 
pings of a set S into itself amounts to specifying a binary operation on S, namely 
the operation * defined by x*y = F x (y). Conversely, (F s ) se s is the family of all left 
translations for (S, *). Now, in terms of the operation *, Condition (f 1 . 1 1) becomes 

(1.2) r * (s * p) = (r * s) * (r *p), 

i.e., it asserts that the operation * satisfies the left self-distributivity law, usually 
denoted (LD) 0. 

Definition 1.1. A set equipped with a binary operation satisfying l|1.2|l is 
called an it LD-system. 

Translating the previous authentication scheme into the language of LD-systems 
yields the following version. 

Assume that (S,*) is an LD-system. The public keys are a pair (p,p r ) of 
elements of S satisfying p' — s*p, while s is Alice's private key. The authentication 
procedure consists in repeating k times the following three exchanges: 



A chooses r in S, and sends the commitments x = r * p and 
x' = r * p'; 

B chooses a random bit c and sends it to A; 

For c = 0, A sends y — r, and B checks x = y*p and x' = y*p'; 

For c = 1, A sends y — r * s, and B checks x' = y * x. 



2. LD-systems 

The algebraic platforms eligible for implementing the scheme of Section ^ are 
LD-systems, and we are led to reviewing the existing examples of such algebraic 
systems. 

2.1. Classical examples. A trivial example of an LD-system is given by an 
arbitrary set S equipped with the operation x * y — y, or, more generally, 

x*y = f(y), 

where / is any map of S into itself. Such examples are clearly not relevant for the 
scheme of Section ^ as the secret s plays no role in the computation. 

The most classical example of an LD-system is provided by a group G equipped 
with the conjugacy operation 

x * y — xyx^ 1 . 

When G is a non-abelian group for which the conjugacy problem is sufficiently 
difficult, G is relevant for the scheme of Section and, more generally, for the 
various schemes based on the Conjugacy Search Problem such as those of |2H I18j 
or [J. Typical platform groups that have been much discussed in this context are 
Artin's braid groups B n ; in particular, the specific scheme considered in Section^ 
is, in the case of the group B n , (a variant of a scheme) proposed by H. Sibert in his 
PhD thesis HOI- 
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2.2. The shifted conjugacy of braids. Now, and this is the point we wish 
to emphasize here, examples of LD-system of a very different flavour exist. 

Those LD-systems are connected with free LD-systems, i.e., LD-systems that 
satisfy no other relations than those resulting from self-distributivity itself. It is 
easy to understand that a group equipped with conjugacy, even a free group, is not 
a free LD-system: indeed, the conjugacy operation always satisfies (among others) 
the idempotency law x * x = x, and the latter is not a consequence of (LD), as 
shows the existence of non-idempotent LD-system such as the integers equipped 
with x * y = y + 1. 

Actually, free LD-systems are quite complicated objects, and we refer to [5], 
which contains an extensive description. For our purpose, it will be enough to know 
that, for some deep reasons that need not be explained here, there exists a simple 
self-distributive operation on Artin's braid group Boo that includes many copies of 
the free LD-system with one generator. Let us first recall the definition [2l 15): 

Definition 2.1 (braid group). For n ^ 2, Artin's braid group B n is defined to 
be the group with presentation 

(2.1) (<ri, cr„_i ; (TjO-j = o-j(Xi for \i - j\ ^ 2, a i a j a l = OjO^j for \i - j\ = 1). 

For each n, the identity mapping on {a\, cr n -i} induces an embedding of B n 
into B n +i, so that the groups B n naturally arrange into an inductive system of 
groups, and the limit is denoted by Boo- this is just the group generated by an 
infinite family o\, o~2, ■■■ subject to the relations (|2.1|) . 

Lemma 2.2. Let d be the shift mapping of the sequence (<7i, (72, ...), i.e., the 
function mapping o~i to Oj+i for each i. Then d induces an injective morphism 
of Boo into itself. 

Proof (sketch). As the relations of (|2.1|l are invariant under shifting the 
indices, d induces a well-defined endomorphism of Boo. That this endomorphism 
is injective follows from the interpretation of the elements of Boo in terms of braid 
diagrams |5J: the geometric operation of deleting the leftmost strand is then 
well-defined, and it enables one to deduce x = y from da; = dy. □ 

The main notion is then the following. 

Definition 2.3 (shifted conjugacy). For x,y in Boo, we put 

(2.2) x * y = x ■ dy ■ o\ ■ dx^ 1 . 

The above operation is a skew version of conjugation: y appears in the middle, 
and it is surrounded by x and x~ lm , the difference with ordinary conjugation lies in 
the introduction of the shift d, and of the generator <j\. The reader can check the 
equalities 

1 * 1 = Ol, 1 * 0~i = 0~lO~\, 0~\ * 1 = 0~\o~i , (J\ * (J\ — U20"\, 

which show that shifted conjugation is quite different from conjugation. 

Proposition 2.4. [H |S] The system {Boo,*) is an LD-system. Moreover, 
every braid generates under * a free sub-LD-system. 

Checking that the operation defined in l|2.2|l satisfies the LD law is an easy 
verification. In the context of groups, the property that every element generates a 
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free subgroup is torsion- freeness. Thus Proposition 12 . 41 expresses that (B^, *) is in 
some sense a torsion-free LD-system. 

Understanding why the weird definition of shifted conjugacy has to appear 
requires a rather delicate analysis which is the main subject of the book [fy. It 
can be observed that, once the definition 1)2. 2|1 is used, braids inevitably appear. 
Indeed, if we assume that G is a group, that / is an endomorphism of G, and that 
a is a fixed element of G, then defining 

x *y = x f(y)af(x)' 1 

yields a left self-distributive operation (if and) only if the subgroup of G generated 
by the elements f n (a) is a homomorphic image of Artin's braid group -Boo, i.e., up 
to an isomorphism, it is -Boo or a quotient of the latter group. 

2.3. Discussion. Our intuition is that the LD-system (Boo,*), i-e-, braids 
equipped with shifted conjugacy, might be a promising platform for implementing 
the scheme of Section ^ — or, more generally, for implementing any scheme based 
on a left self-distributive operation. This intuition ought to be confirmed by an 
experimental evidence, which at this early stage is not yet available. Here we 
content ourselves with a few remarks about the respective properties of conjugacy 
and shifted conjugacy in Boo. 

First, note that in general using free structures does not seem a very good idea 
in cryptography, as by definition the free structures are those in which the least 
possible number of equalities are satisfied, a not very good framework for hiding 
things. That is why, for instance, a free LD-system would probably not be the 
optimal platform for implementing the scheme of Section ^ However, the LD- 
system (-Boo, *) is far from being free, and it is even conjectured that it contains no 
free LD-system with two generators. For instance, the equality a\ * <J\ — a% * a% 
(= <J2<J\) shows that the sub-LD-system generated by <j\ and 02 is not free. No 
presentation of (-Boo, *) as an LD-system is known. 

Practically, using shifted conjugacy of braids as suggested here relies on the 
difficulty of the following problem, which is analogous to the Conjugacy Search 
Problem: 

Shifted Conjugacy Seach Problem: Assuming that s,p are 
braids in -Boo and p' = s * p holds, find a braid s satisfying 
p' = s*p. 

Contrary to the Conjugacy Seach Problem, no solution to the Shifted Conjugacy 
Search Problem is known so far. It is not even known whether the simple Shifted 
Conjugacy Problem is decidable, i.e., whether one can effectively decide for two 
braids p,p' the existence of s satisfying p' = s*p. It is likely that shifted conjugacy 
is quite different from ordinary conjugacy, and that none of the many specific results 
established for the latter |14L II H 115) extends to shifted conjugacy. In particular, 
we see no simple strategy for constructing the "shifted super summit set" of a 
braid p, defined as the family of all shifted conjugates of p with minimal canonical 
length — which is the key point in all solutions to the Conjugacy Problem known so 
far. 

However, it is fair to mention that the Shifted Conjugacy Search Problem, which 
should not be threatened by specific attacks against the Conjugacy Search Problem 
[161 119) . remains, as the latter, an instance of the general Decomposition Problem 
and, as such, it is not a priori immune against length-based attacks [171 1121 113| . 
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To emphasize the difference between ordinary and shifted conjugations, we 
point 

Proposition 2.5 Corollary 1.8). The mapping f : s i— > s * 1 is injective. 

In the case of ordinary conjugacy, every conjugate of 1 is 1, so the above 
injective function / is replaced with the constant function with value 1. By the 
way, very little is known about /. In particular, we raise 

Question 2.6. Starting with a braid p, find s satisfying s * 1 = p (when it 
exists). 

Once more, nothing is known. This might suggest to use / as a possible one-way 
function on braids. 



3. The Laver tables and other algebraic systems 

To conclude, we mention that braids are not the only possible platform for 
implementing self-distributive operations — and that the self-distributivity law is 
not even the only algebraic law eligible for the approach sketched in Section ^ 



3.1. The Laver tables. Instead of resorting to an infinite LD-system like Boo 
equipped with shifted conjugacy, one could instead use finite LD-systems. Such 
algebraic systems are far from being completely understood, but there exists an 
infinite sequence of so-called Laver tables that plays a fundamental role among 
LD-systems — similar to the role of the cyclic groups Z/pZ among finite abelian 
groups — and, at the same time, has a high combinatorial complexity. 

We refer to Chapter X of 6 for details. For our current overview, it is enough 
to mention that, for each nonnegative integer n, there exists a unique LD-system A n 
such that the underlying set is the 2™ elements interval {0, 1, 2™ — 1} and one 
has p * = p + 1 for s$ p < 2" - 2 and 2" - 1 * = 0. The value of p * q in A n 
can be easily computed using a double induction on q increasing from to 2" — 1 
and for p decreasing from 2™ — 1 to 0, using the rule 

p * (q + 1) = (p * q) * (p * 0), 

and observing that p * q has to be always strictly larger than p. Table [5] displays 
the first four Laver tables. 
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TABLE 1. The Laver tables A n with <n<3 
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Several general phenomena can be observed on these particular examples. First, 
for each n, the table A n with 2™ elements is the projection modulo 2™ of the ta- 
ble A n+ \ with 2 n+1 elements. In other words, if we use a length n binary repre- 
sentation for the elements of A n , only the dominant bit of each value has to be 
computed in order to determine A n+ \ from A n . Next, every row in the table A n 
is periodic, with a period that is a power of 2. More precisely, for each p, the row 
of p in A n consists of 2 k values 

r = p + 1 < n < ... < r 2 fe_i = 2 n - 1 

repeated 2™~ fe times. One can show that, if (ro, ...,r 2 k_i) is the periodic pattern in 
the row of p in A n , with ro = p+ 1 and r 2 fc_! = 2 n — 1 and if t denotes the smallest 
integer for which one has p * t ^ 2" in A n+ i, then 

- (z) either t = 2 k holds, the period of p doubles from 2 k to 2 k+1 between A n 
and A n+ i, and the periodic pattern in A n+ i is (ro, r 2 fe_i, ro + 2 n , r 2 i-_i + 2"), 

- (ii) or ^ t < 2 k holds, the period of p remains 2 k in A n+ i, and the periodic 
pattern in A n+1 is (r , r t -i,r t +2 n , r 2 fc_i+2"). 

In each case, the only piece of information needed to construct the row of p in A n+ \ 
from the row of p in A n is the value of t, which is called the threshold ofp in A n , and, 
therefore, the list of thresholds suffices to construct A n+ i from A n (cf. Tables- 
Note that, as A n is the projection of A n+ i, we can consider that we work in the 
inverse limit A^ of the tables A n , i.e., we are constructing an LD-operation on 
2-adic numbers. 
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The reason for mentioning the Laver tables here is that their combinatorial 
properties seem to be very complicated. In particular, predicting the values in the 
first half of the sequence of thresholds is extremely difficult (the values in the second 
half are always 0, 0, 2™): this is witnessed by the results of [SI [§1 ll(J) which 
show that fast growing functions are necessarily involved here. 

3.2. Central duplication. As a final remark, we come back to the Fiat- 
Shamir- like authentication scheme of Section ^ We noted that its security requires 
two conditions, namely one that is directly connected with the difficulty of what can 
be called the *-Search Problem, and the additional requirement that communicating 
F r (s), i.e., r * s, gives no practical information about s when r remains unknown. 
Using the latter condition to forge an attack seems unclear, but, at least for aesthetic 
reasons, we might like to avoid it. This can be done, at the expense of changing 
the algebraic law. 

Indeed, instead of communicating F r (s) in case c = 1 of the authentication 
scheme, Alice could communicate F s (r). In this case, the supposed difficulty of the 
^-Search Problem guarantees that F s (r) gives no information about s. Now, when 
the scheme is modified in this way, the equality checked by the verifier has to be 
modified as well. If we keep the same principle, we are led to replace Condition 
with 



(3.1) 



F r (F s (p)) = F Fs{r) (F r (p)). 
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When Condition (|3.1[) is translated into the language of binary operations, we 
obtain a new algebraic law, namely 

(3.2) r * (s * p) = (s * r) * (r *p), 

instead of left self-distributivity. Nothing specific is known about this law so far, 
but it should be possible to use the general method explained for a similar law in 
[7] to construct concrete examples of algebras that satisfy it. 

4. Conclusion 

We discussed various non-classical algebraic operations that could possibly be 
used as cryptographical primitives, typically for a Fiat-Shamir-like authentication 
scheme. The most promising example seems to be the shifted conjugacy operation 
on braids. At the least, the existence of such an operation shows that conjugacy 
is not the only possible primitive for braid-based cryptography, and that further 
investigation in this direction is needed. 
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